The following error appears while installing an SSL certificate from a private CA by copying and pasting it in the Paste SSL Digital Certificate box on the VIP Enterprise Gateway under Settings > SSL Certificate.

Failed to add SSL Certificate. 

Broken chain. Signature fails on [CN=xxx, DC=xxx, DC=xxx, DC=com]

The error can occur if a CSR is generated from the VIP Enterprise Gateway, then submitted to a private CA for a certificate. Or, when importing a certificate without adding the private CA chain into the VIP Enterprise Gateway.

1. Import the appropriate root and intermediate certificates for the private CA chain into the VIP Enterprise Gateway Settings → Trusted CA Certificate → Add Certificate.
2. Restart the VIP Enterprise Gateway Service from the Windows/Linux services console.
3. If the CSR was generated from the VIP Enterprise Gateway:
   > Select Install, then paste the SSL Digital Certificate you received into the form. No extra spaces or line breaks should be included.
   > Click Submit to add the SSL Certificate.
4. If the CSR was not generated from the VIP Enterprise Gateway:
   > Select SSL Certificate → Add SSL Certificate, then choose Import SSL Certificate. Choose the file, correct password, and a cert alias.
   > Click Submit to add the SSL Certificate.

*Note:  Remember to remove old/expired root and intermediary certificates if they do not match the current SSL certificate installation, and ensure only the current root/intermediary certificates are present in Trusted CA store. Java applications attempt to use first found Root/Intermediary CA. If that does not match the serial number in the SSL certificate chain, then it may still throw this error.